Black listed on 2 separate occasions - not sure why?

Hi Experts,
Recently our email domain/Public IP address has been blacklisted on two separate occasions over the past 3 weeks on two different black lists which caused outgoing/external email to get bounced. Incoming email seemed to be unaffected.

On the most recent occasion we got added to one black list on Friday and I got us removed on Saturday, but we are still getting a small number of emails that are being bounced back and not sure why - any ideas?. Im concerned we may get added again if we dont find out the cause of the issue. We are currently running SBS 2003 as our email server and have a Sonicwall email security/Spam appliance that filters email. We have AVG anti-virus installed on all servers and client computers.
Is there any way to find out why we got onto the blacklists in the first place?, any software tools available? Also really want to prevent us from getting onto any black lists in the future.

Two Example NDR’s we have received are the following:

The following recipient(s) cannot be reached:
1)
firstanme@companya.co.uk on 17/10/2011 13:38
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
<mail.wisdom.ltd.uk #5.3.2 smtp;554 mx.ptn-ipin04.plus.net Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.>

2)

The following recipient(s) could not be reached:
firstname.lastname@zzzcompnay.co.uk on 17/10/2011 16:55
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
<mail.wisdom.ltd.uk #5.0.0 smtp;550 Invalid recipient <firstname.lastname@zzzcompnay.co.uk > (#5.1.1)>

The first example is due to reputation, but the second indicates the person you sent to at that domain does not exist. The second indicates the person is not at that email address. Typically due to a typo.

You didn't mention how large you installation is, but chances are some pc is sending spam. Where do you send your email, to a local exchange server or to an ISP directly. If you have a local mta then check the logs to see if anyone in particular is sending a lot of email. If you are sending spam then probably some of those emails are being bounced and returned to you. If you can look at the headers, of one those it might give you a clue. If you have one, please post it.

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

ive checked our blacklist status at: mxtoolbox.com and we dont appear to be listed on any blacklists at the moment

0

kevin1983Author Commented: 2011-10-18

HendrikWiese:do you mean ask our internet service provider to setup a PTR for our public domain? - is there a way to check to see if we already have one setup?

0

kevin1983Author Commented: 2011-10-18

carlmd:the second NDR had the correct recipient email address - the user has emailed that person before so dont think its a typo.

OUt setup is quite small and we send our email to a local exchange 2003 server (well a SBS 2003 server) and it uses the Sonicwall email security 300 appliance as a smart host. Which logs should I check and where do i find them? - if you can clarify where to check the headers ill post on here

Check the exchange logs first, you are looking for a user sending an unusually large number of emails. Also look at the outgoing email queue to see if there are alot of messages queued. Typically with a spam sender you could see 1,000 or more.

Then check the logs on the Sonicwall as well, again looking for a spike in outgoing mail.

The headers would be helpful only if you get back a bounced spam email. They could tell you what user is sending those emails, assuming that is your problem.

1. Go to www.mxtoolbox.com
2. Type in your domain name
3. Click on the MX Lookup button
4. Now take you mouse pointer over your IP address and click
5. Now it will check if you have a PTR setup if you don't have one it will obviously return no results

0

kevin1983Author Commented: 2011-10-18

do you mean use the message tracking tool on exchange to list recent emails? - i had a look on our sonicwall ES300 box and cant see excessive outgoing email

0

kevin1983Author Commented: 2011-10-18

HendrikWiese: not sure if ive done the check correctly, but looks like we have an A record but no reverse lookup found for our public IP address of 212.169.35.122 However the IP address for our A record for the public IP has a PTR record. Is this correct?

if looks like A record 30 is on a blacklist -backscatter and asks for payment to be removed from there website, see mxtoolbox screenshot
althought I think usually mail should always be going via the first A record (10) not 20 or 30.

0

kevin1983Author Commented: 2011-10-18

still not sure which logs need to be checked on Exchange, please clarify

what if we were to remove the 30 record? as email should only be going via 10 record.
80.87.128.146 is also configured on our sonicwall ES 300 as a backup email SMTP server which is a server hosted externally by the people who maintain our domain name - perhaps this is causing an issue.

THe backup SMTP server is only meant to be used to hold copies of emails in the event we have internal issue with our email server or internet connection preventing email from being delivered to us. Once the issue is resolved the backup SMTP server feed should send email onto us.

0

kevin1983Author Commented: 2011-10-18

HendrikWiese:ok thanks i just completed the form, although it says they currently only respond to people is the US or canada and im based in UK so may not get an answer

Hope they do help you though. But Yes removing the 30 record will also do the trick. Although everything should be going through your 10 record.

0

kevin1983Author Commented: 2011-10-18

ok, so if everything is going through 30 i dont really understand why this would have an impact, unless just some emails have gone through 30. We dont really want to pay backscatter to get us removed as it doesnt seem right. We dont feel we have been doing anything wrong without knowing

This is a downfall with Exchange is proper reporting. You can use your Message Tracking under your tools to see if there was high message volumes. You can also then select all and copy to excel to sort and manage results.

0

kevin1983Author Commented: 2011-10-18

OK ive done that and cant seen any excessive email being sent out from anyone, so i guess this suggests no users mailbox or client computer has been infected? or could junk email possibly still have been sent out without being logged on exchange and the sonicwall box?

If you don't see anything suspicious on the user mailboxes then it would be safe to assume that no users was affected.

0

kevin1983Author Commented: 2011-10-18

ok i guess thats good news in one way, any suggestions on how we might have got onto the blacklist in the first place?

Our sonicwall box seems to have an upgrade kerpersky anti-vrus service to check outgoing email for viruses,monitors excessive outgoing email, and defends against zombie computers, and can alert me if email is sent from an address not in our LDAP which im thinking might be worth paying for (annula fee) although if no users were infected this time perhaps its something else we need to do to prevent it happening again in future im just not sure what could be done

Yes that is possibly spam mails coming in to your domain and then the postmaster address replies with endless non delivery reports and thus the black list. You would have to stop those emails.

0

kevin1983Author Commented: 2011-10-18

ok - I think ive found where this address is setup on our soncwall box - see screenshot

I tried changind the address to a valid LDAP address but stil logging as seding out some email on the Sonicwall box and says even though its marked email as spam it has still delivered the email. Not to sure how to stop the emails going out unless I blank out the fields

0

kevin1983Author Commented: 2011-10-18

seems like if i try to remove the address it wont let me save the config - an address has to be there of some sort

It should be fine if you change it to an internal ldap address, as your ptr should also respond correctly. Which will stop the black listing issue

0

kevin1983Author Commented: 2011-10-18

ok intrestingly is i set the address to administrator@wisdom.ltd.uk which is a valid LDAP address the sonicwall box is marking all the emails as likely spam but still delivering them, where when the address was postmaster@mail.wisdom.ltd.uk is was not markting the email as likely spam and was deleivering them.

I would of thought the postmaster@mail.wisdom.ltd.uk setup would have been marked as spam email not other way around

The host name of the sonicwall box is named: mail.wisdom.ltd.uk so I guess it defualted the postamster address from the host name.

0

kevin1983Author Commented: 2011-10-18

I guess postmaster / NDR addreses are a requirment?, theres also a an optional Transient NDR setting on sonicwall box, (see screenshot) but not sure if this helps in any way

0

kevin1983Author Commented: 2011-10-18

Various emails being set out to stange email address - concerned may still cause issues and put us onto blacklist - see screenshot

0

kevin1983Author Commented: 2011-10-18

but I guess not as you say the address is valid/ on our LDAP it should be ok now

Featured Post

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.